Cyber attacks on third party service providers – who has to investigate the data breach?

Cyber attacks on third party service providers to businesses raise many issues with respect to the security of data shared with service providers and compliance with legal obligations with respect to that data.

Amongst other things, businesses covered by the Privacy Act have obligations to take reasonable precautions to prevent the unauthorised disclosure of personal information, to investigate and assess data breaches, to report eligible data breaches to the Office of the Information Commissioner (OAIC) and to notify individuals who may be adversely affected by a breach.

Where personal information is shared with a third-party service provider, one particular issue that can arise in the event of a cyber breach is whether one or both of those entities is responsible for investigating and complying with reporting and notification obligations under the Privacy Act.

We recently had cause to consider this in advising a client where the personal information of its employees was accessed in a ransomware attach on its payroll service provider. The service provider informed our client that it considered the incident amounted to an eligible data breach (because the accessing of the information by the perpetrator was likely to result in a risk of serious harm to the employees concerned). As a result obligations to report to the OAIC and to notify the relevant employees arose.

Where more than one entity each holds personal information which has been compromised in an eligible data breach the Privacy Act only requires one of those entities to undertake the necessary reporting and notifications. OAIC guidelines suggest that it will ordinarily be appropriate for the entity with the most direct connection to the affected individuals to undertake those steps. In practice this will generally be the entity that is in the best position to investigate and assess the breach, undertake notifications and liaise with the OAIC.

Where the data breach affecting employees of a business is part of a wider data breach suffered by the payroll service provider, the service provider may in fact be in the best position to take the necessary steps.

However, the business affected must still have regard to its general duties to take reasonable steps to protect the personal information of its employees and its other general law duties of care to its employees. This will ordinarily require a reasonable independent assessment of the nature of the data breach and the risk to its employees and a coordinated approach to undertaking reporting and notification along with the service provider.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Our team of cyber and information security specialists advises clients at each stage of the data lifecycle – from proactive risk management to incident response and recovery.

From the outset, we work closely with our clients to identify and manage internal and external data privacy and security risks through legal documentation, establishment of appropriate board and management governance arrangements, policies and procedures, on-boarding arrangements and IT protection. This includes ensuring compliance with regulated and contractual cyber and information security requirements and having effective arrangements in place to manage cyber security supply chain risks and response plans in the event of a cyber attack or data breach.

Find out more about how our cyber and information security legal experts can assist your business here.

The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.

Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.

Find out more about our involvement with the Cyber Alliance Group here.